Field
Embodiments presented herein generally relate to data loss prevention systems, and more specifically, to using DLP incident signatures to recognize false positive events generated by a DLP system.
Description of the Related Art
Data loss prevention (DLP) systems protect sensitive data from disclosure or misuse. To do so, DLP systems may monitor content leaving a network (sometimes referred to as “network DLP” or “data in motion DLP”) or use of content within a network (sometimes referred to as “endpoint DLP” or “data in use DLP”). For example, DLP systems may prevent personally identifiable information, such as Social Security numbers, bank account numbers, payment card information, and so on from being transmitted between users in an insecure manner (e.g., in an e-mail) or otherwise made public (e.g., on the Internet). In other cases, DLP systems may prevent users from transmitting confidential information, such as financial information, proprietary product information, source code, or other protected data, as well as prevent unauthorized copies from being created (e.g., copying a document to a portable storage device). For example, an organization may separate data access to relevant groups (e.g., equities analysts and equities sales teams), and DLP systems may prevent one group from accessing confidential information from others group that could be used for unethical or illegal purposes (e.g., an equities sales team accessing information from an analyst team for insider trading purposes). As another example, DLP systems may prevent source code, product development plans, or other confidential information from leaving the organization (whether by way of e-mail, by copying to removable media or to an online repository, etc.).
Generally, DLP systems are tuned to err on the side of caution in determining whether an event matches rules restricting transmission or access to data. False positives, i.e., events incorrectly flagging an event as violating a DLP rule, are generally favored over false negatives, i.e., failing to correctly flag an event as violating a DLP rule. Since an administrator can review incidents, a delay in transmitting data falsely flagged as violating a DLP rule is generally considered acceptable to ensure that sensitive data is not transmitted in violation of data security rules.
However, as a result, DLP systems often generate large numbers of false positive events, consuming storage resources on the DLP system. This results in an administrator spending significant amounts of time simply identifying false positive events one-by-one.